How to root any Allwinner device running Android and most of the Chinese “Pi” clones which bet on Allwinner Android Linux Kernel


3

I got this interesting Tweet this morning from Ken Tindell @kentindell

I decided to check what is this about and expand the message … then LMAO!

1

David Manouchehri ‏@DaveManouchehri found interesting code in the Allwinner GitHub https://github.com/allwinner-zh/linux-3.4-sunxi

What does this means? If string “rootmydevice” pass through sunxi_debug process it assigns you root privileges.

My first though was who the hell will use the original extracted from Android Linux Kernel 3.4 made by Allwinner which contains binary blobs, when there is completely Free Open Source alternative developed by Linux-Sunxi community?

…and while thinking on it, scrolling down I found this:

2

some guy decided to try it on his Orange Pi – you see the result, he got root access to the device by simple echo command!

Damn! and this is put with non-conditional flags i.e. embedded always in the kernel you can’t remove it!

If the guys from Allwinner were smart enough they would at least hide this in the binary blobs, so no one could see it!

This is just yet another example what you are exposed to when use kernels which are with binary blobs inside, not speaking of the security quality of the code which Allwinner developers produce!

Fortunately we use Linux-Sunxi community kernel which is 100% open source and no binary blobs!

(well if you want hardware acceleration GPU drivers are still with binary blobs and no one knows what is inside, but this looks like heap of works and no one is interested to liberate them so far).

here is what OLinuXino Kernel responds on the same command:

4

What does this means? All devices which run Allwinner Linux Kernel 3.4 are subject to this backdoor security flaw and you can easily gain root access on any on them!

8 Comments (+add yours?)

  1. Thomas
    May 10, 2016 @ 09:14:36

    You missed the point. In your sun7i 3.4.103 kernel this specific local privileges escalation is not present since Allwinner introduced it with the sun8i 3.4 kernel variant last year. All details: http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/

    So in case you would’ve already prepared OS images for your new H3 devices you might’ve been affected too. And if you still use 3.4.103 on your OS images for A10/A20 boards then I would suspect something’s wrong (since we’re already at 3.4.112 there — mostly security fixes BTW)

    Reply

    • OLIMEX Ltd
      May 10, 2016 @ 09:45:39

      yes, we are still 3.4.103 as it works and we do not want to touch it, no offence, I appreciate what you do, but we made few attempts to move to newer kernel and always something is broken (for instance freeze after few hours of intensive video play etc, which is hard to catch, but obviously memory leak or something else, for most of our customers 3.4.103 works fine, it supports all our hardware we use and it’s have been tested for many months 24/7 under different loads without problems

      Reply

  2. Thomas
    May 10, 2016 @ 09:52:45

    BTW: You should keep in mind that the kernel tree you’re referring to (‘Linux-Sunxi community kernel which is 100% open source’) contains hardware drivers and stuff taken from Allwinner’s BSP kernel 3.4.39 released a few years ago. So while _this_ specific local privileges escalation is not possible with the sun7i 3.4.103 kernel you use the drivers might hide other unwanted ‘surprises’.

    Switching to mainline kernel is the better alternative for most use cases in the meantime. A10/A20 support is pretty good. And according to our download logs Lime/Lime2 users relying on Armbian prefer mainline over 3.4 already🙂

    Reply

  3. ssvb
    May 10, 2016 @ 11:58:20

    Guess what? The mainline kernel also has privilege escalation bugs getting discovered on a regular basis.

    Also some people are in fact interested in rooting their Android devices. So Allwinner might have probably thought that they were doing a good thing for their users🙂 See https://en.wikipedia.org/wiki/Rooting_(Android_OS)

    The users of the Chinese “Pi” clones based on the same A20 SoC can and do run the mainline kernel on their boards too. So the A20 boards from OLIMEX do not have any real advantage at least in the software support. But OLIMEX boards do have their own advantages because they are OSHW compliant, which is definitely a good thing.

    Reply

    • OLIMEX Ltd
      May 10, 2016 @ 12:13:35

      Sure, I do not argue that every A20 board could run proper software. I’m just puzzled why they decided to run this kernel when there is better alternative!
      These “debug” leftovers seems to me more like lazy programmers forgot to clean their code before commit for production than to intentional left backdoors, but who knows.

      Reply

      • Thomas
        May 10, 2016 @ 13:39:44

        Which ‘better alternative’ are you referring to? The problem only affects Allwinner’s BSP 3.4.x kernel released for H3/A83T last year (not A20 or any other Allwinner device — unfortunately you chose a rather misleading title for this blog post). H3/A83T contain different IP Blocks for many things and linux-sunxi community is still busy writing mainline code for this stuff from scratch.

        Until mainline kernel support for H3/A83T isn’t ready there simply has been no alternative if you wanted to run a H3 device a few weeks/months ago. Which kernel sources do you currently use for testing your new H3 based OlinuXinos?

        BTW: While it’s a good idea to patch this flaw ASAP I would believe that most affected OS images relying on this kernel (for Orange and Banana Pi) are that insecure by design (sudo without authentication for default user) that it doesn’t matter that much whether the fix is applied or not.

        Any news on your H3 boards while we’re already at it?🙂

  4. Trackback: How to root any #Allwinner device running Android and most of the C… | Dr. Roy Schestowitz (罗伊)
  5. Trackback: Easily Root Allwinner Android Devices Running Linux 3.4 Kernel « Adafruit Industries – Makers, hackers, artists, designers and engineers!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: